Introduce the @safe attribute as described in the opt-in safety checking proposal

Author: DougGregor

include/swift/AST/Decl.h

@@ -235,6 +235,16 @@ enum class AssociatedValueCheck {
   HasAssociatedValues,
 };
 
+/// An explicit declaration of the safety of
+enum class ExplicitSafety {
+  /// There was no explicit declaration of the safety of the given entity.
+  Unspecified,
+  /// The entity was explicitly declared safe with @safe.
+  Safe,
+  /// The entity was explicitly declared unsafe with @unsafe.
+  Unsafe
+};
+
 /// Diagnostic printing of \c StaticSpellingKind.
 llvm::raw_ostream &operator<<(llvm::raw_ostream &OS, StaticSpellingKind SSK);
 
@@ -859,7 +869,6 @@ class alignas(1 << DeclAlignInBits) Decl : public ASTAllocated<Decl>, public Swi
   friend class ExpandPeerMacroRequest;
   friend class GlobalActorAttributeRequest;
   friend class SPIGroupsRequest;
-  friend class IsUnsafeRequest;
 
 private:
   llvm::PointerUnion<DeclContext *, ASTContext *> Context;
@@ -1203,9 +1212,9 @@ class alignas(1 << DeclAlignInBits) Decl : public ASTAllocated<Decl>, public Swi
   /// Whether this declaration predates the introduction of concurrency.
   bool preconcurrency() const;
 
-  /// Whether this declaration is considered "unsafe", i.e., should not be
-  /// used in a "safe" dialect.
-  bool isUnsafe() const;
+  /// Query whether this declaration was explicitly declared to be safe or
+  /// unsafe.
+  ExplicitSafety getExplicitSafety() const;
 
 private:
   bool isUnsafeComputed() const {
@@ -1816,8 +1825,13 @@ struct InheritedEntry : public TypeLoc {
   bool isPreconcurrency() const {
     return getOptions().contains(ProtocolConformanceFlags::Preconcurrency);
   }
-  bool isUnsafe() const {
-    return getOptions().contains(ProtocolConformanceFlags::Unsafe);
+
+  ExplicitSafety getExplicitSafety() const {
+    if (getOptions().contains(ProtocolConformanceFlags::Unsafe))
+      return ExplicitSafety::Unsafe;
+    if (getOptions().contains(ProtocolConformanceFlags::Safe))
+      return ExplicitSafety::Safe;
+    return ExplicitSafety::Unspecified;
   }
 
   bool isSuppressed() const { return IsSuppressed; }
@@ -1826,6 +1840,21 @@ struct InheritedEntry : public TypeLoc {
     RawOptions = (getOptions() | flag).toRaw();
   }
 
+  void setOption(ExplicitSafety safety) {
+    RawOptions = (getOptions() - ProtocolConformanceFlags::Unsafe
+                    - ProtocolConformanceFlags::Safe).toRaw();
+    switch (safety) {
+    case ExplicitSafety::Unspecified:
+      break;
+    case ExplicitSafety::Safe:
+      RawOptions = (getOptions() | ProtocolConformanceFlags::Safe).toRaw();
+      break;
+    case ExplicitSafety::Unsafe:
+      RawOptions = (getOptions() | ProtocolConformanceFlags::Unsafe).toRaw();
+      break;
+    }
+  }
+
   void setSuppressed() {
     assert(!IsSuppressed && "setting suppressed again!?");
     IsSuppressed = true;

include/swift/AST/DeclAttr.def

@@ -516,7 +516,7 @@ SIMPLE_DECL_ATTR(sensitive, Sensitive,
 SIMPLE_DECL_ATTR(unsafe, Unsafe,
   OnAbstractFunction | OnSubscript | OnVar | OnMacro | OnNominalType |
   OnExtension | OnTypeAlias | OnEnumElement | UserInaccessible |
-  ABIStableToAdd | ABIStableToRemove | APIBreakingToAdd | APIStableToRemove,
+  ABIStableToAdd | ABIStableToRemove | APIStableToAdd | APIStableToRemove,
   160)
 
 DECL_ATTR(lifetime, Lifetime,
@@ -531,7 +531,11 @@ SIMPLE_DECL_ATTR(_addressableForDependencies, AddressableForDependencies,
   OnNominalType | ABIBreakingToAdd | ABIBreakingToRemove | APIBreakingToAdd | APIBreakingToRemove | UserInaccessible,
   163)
 
-// 164 was the never-shipped @safe attribute and can be reused
+SIMPLE_DECL_ATTR(safe, Safe,
+  OnAbstractFunction | OnSubscript | OnVar | OnMacro | OnNominalType |
+  OnExtension | OnEnumElement | UserInaccessible |
+  ABIStableToAdd | ABIStableToRemove | APIStableToAdd | APIStableToRemove,
+  164)
 
 DECL_ATTR(abi, ABI,
   OnAbstractFunction | OnVar /* will eventually add types */ | LongAttribute | ABIStableToAdd | ABIStableToRemove | APIStableToAdd | APIStableToRemove,

include/swift/AST/ProtocolConformance.h

@@ -654,9 +654,14 @@ class NormalProtocolConformance : public RootProtocolConformance,
   /// known.
   SourceLoc getPreconcurrencyLoc() const { return PreconcurrencyLoc; }
 
-  /// Whether this is an "unsafe" conformance.
-  bool isUnsafe() const {
-    return getOptions().contains(ProtocolConformanceFlags::Unsafe);
+  /// Query whether this conformance was explicitly declared to be safe or
+  /// unsafe.
+  ExplicitSafety getExplicitSafety() const {
+    if (getOptions().contains(ProtocolConformanceFlags::Unsafe))
+      return ExplicitSafety::Unsafe;
+    if (getOptions().contains(ProtocolConformanceFlags::Safe))
+      return ExplicitSafety::Safe;
+    return ExplicitSafety::Unspecified;
   }
 
   /// Determine whether we've lazily computed the associated conformance array

include/swift/AST/ProtocolConformanceOptions.h

@@ -34,6 +34,9 @@ enum class ProtocolConformanceFlags {
   /// @retroactive conformance
   Retroactive = 0x08,
 
+  /// @safe conformance
+  Safe = 0x10,
+
   // Note: whenever you add a bit here, update
   // NumProtocolConformanceOptions below.
 };
@@ -49,7 +52,7 @@ inline ProtocolConformanceOptions operator|(
 }
 
 enum : unsigned {
-  NumProtocolConformanceOptions = 4
+  NumProtocolConformanceOptions = 5
 };
 
 } // end namespace swift

include/swift/AST/TypeCheckRequests.h

@@ -5175,24 +5175,6 @@ void simple_display(llvm::raw_ostream &out,
                     RegexLiteralPatternFeatureKind kind);
 SourceLoc extractNearestSourceLoc(RegexLiteralPatternFeatureKind kind);
 
-class IsUnsafeRequest
-    : public SimpleRequest<IsUnsafeRequest,
-                           bool(Decl *decl),
-                           RequestFlags::SeparatelyCached> {
-public:
-  using SimpleRequest::SimpleRequest;
-
-private:
-  friend SimpleRequest;
-
-  bool evaluate(Evaluator &evaluator, Decl *decl) const;
-
-public:
-  bool isCached() const { return true; }
-  std::optional<bool> getCachedResult() const;
-  void cacheResult(bool value) const;
-};
-
 class GenericTypeParamDeclGetValueTypeRequest
     : public SimpleRequest<GenericTypeParamDeclGetValueTypeRequest,
                            Type(GenericTypeParamDecl *decl),

include/swift/AST/TypeCheckerTypeIDZone.def

@@ -605,9 +605,6 @@ SWIFT_REQUEST(TypeChecker, CaptureInfoRequest,
 SWIFT_REQUEST(TypeChecker, ParamCaptureInfoRequest,
               CaptureInfo(ParamDecl *),
               SeparatelyCached, NoLocationInfo)
-SWIFT_REQUEST(TypeChecker, IsUnsafeRequest,
-              bool(Decl *),
-              SeparatelyCached, NoLocationInfo)
 SWIFT_REQUEST(TypeChecker, CustomDerivativesRequest,
               CustomDerivativesResult(SourceFile *),
               Cached, NoLocationInfo)

lib/AST/ASTContext.cpp

@@ -4076,7 +4076,8 @@ get(GenericTypeDecl *TheDecl, Type Parent, const ASTContext &C) {
   UnboundGenericType::Profile(ID, TheDecl, Parent);
   void *InsertPos = nullptr;
   RecursiveTypeProperties properties;
-  if (TheDecl->isUnsafe()) properties |= RecursiveTypeProperties::IsUnsafe;
+  if (TheDecl->getExplicitSafety() == ExplicitSafety::Unsafe)
+    properties |= RecursiveTypeProperties::IsUnsafe;
   if (Parent) properties |= Parent->getRecursiveProperties();
 
   auto arena = getArena(properties);
@@ -4129,7 +4130,8 @@ BoundGenericType *BoundGenericType::get(NominalTypeDecl *TheDecl,
   llvm::FoldingSetNodeID ID;
   BoundGenericType::Profile(ID, TheDecl, Parent, GenericArgs);
   RecursiveTypeProperties properties;
-  if (TheDecl->isUnsafe()) properties |= RecursiveTypeProperties::IsUnsafe;
+  if (TheDecl->getExplicitSafety() == ExplicitSafety::Unsafe)
+    properties |= RecursiveTypeProperties::IsUnsafe;
   if (Parent) properties |= Parent->getRecursiveProperties();
   for (Type Arg : GenericArgs) {
     properties |= Arg->getRecursiveProperties();
@@ -4211,7 +4213,8 @@ EnumType::EnumType(EnumDecl *TheDecl, Type Parent, const ASTContext &C,
 
 EnumType *EnumType::get(EnumDecl *D, Type Parent, const ASTContext &C) {
   RecursiveTypeProperties properties;
-  if (D->isUnsafe()) properties |= RecursiveTypeProperties::IsUnsafe;
+  if (D->getExplicitSafety() == ExplicitSafety::Unsafe)
+    properties |= RecursiveTypeProperties::IsUnsafe;
   if (Parent) properties |= Parent->getRecursiveProperties();
   auto arena = getArena(properties);
 
@@ -4228,7 +4231,8 @@ StructType::StructType(StructDecl *TheDecl, Type Parent, const ASTContext &C,
 
 StructType *StructType::get(StructDecl *D, Type Parent, const ASTContext &C) {
   RecursiveTypeProperties properties;
-  if (D->isUnsafe()) properties |= RecursiveTypeProperties::IsUnsafe;
+  if (D->getExplicitSafety() == ExplicitSafety::Unsafe)
+    properties |= RecursiveTypeProperties::IsUnsafe;
   if (Parent) properties |= Parent->getRecursiveProperties();
   auto arena = getArena(properties);
 
@@ -4245,7 +4249,8 @@ ClassType::ClassType(ClassDecl *TheDecl, Type Parent, const ASTContext &C,
 
 ClassType *ClassType::get(ClassDecl *D, Type Parent, const ASTContext &C) {
   RecursiveTypeProperties properties;
-  if (D->isUnsafe()) properties |= RecursiveTypeProperties::IsUnsafe;
+  if (D->getExplicitSafety() == ExplicitSafety::Unsafe)
+    properties |= RecursiveTypeProperties::IsUnsafe;
   if (Parent) properties |= Parent->getRecursiveProperties();
   auto arena = getArena(properties);
 
@@ -5396,7 +5401,8 @@ OptionalType *OptionalType::get(Type base) {
 ProtocolType *ProtocolType::get(ProtocolDecl *D, Type Parent,
                                 const ASTContext &C) {
   RecursiveTypeProperties properties;
-  if (D->isUnsafe()) properties |= RecursiveTypeProperties::IsUnsafe;
+  if (D->getExplicitSafety() == ExplicitSafety::Unsafe)
+    properties |= RecursiveTypeProperties::IsUnsafe;
   if (Parent) properties |= Parent->getRecursiveProperties();
   auto arena = getArena(properties);
 

lib/AST/ASTDumper.cpp

@@ -3857,6 +3857,7 @@ class PrintAttribute : public AttributeVisitor<PrintAttribute, void, StringRef>,
                        requires_stored_property_inits)
   TRIVIAL_ATTR_PRINTER(ResultBuilder, result_builder)
   TRIVIAL_ATTR_PRINTER(Rethrows, rethrows)
+  TRIVIAL_ATTR_PRINTER(Safe, safe)
   TRIVIAL_ATTR_PRINTER(SPIOnly, spi_only)
   TRIVIAL_ATTR_PRINTER(Sendable, sendable)
   TRIVIAL_ATTR_PRINTER(Sensitive, sensitive)

lib/AST/ASTPrinter.cpp

@@ -2895,8 +2895,18 @@ void PrintAST::printInherited(const Decl *decl) {
         Printer << "@retroactive ";
       if (inherited.isPreconcurrency())
         Printer << "@preconcurrency ";
-      if (inherited.isUnsafe())
+      switch (inherited.getExplicitSafety()) {
+      case ExplicitSafety::Unspecified:
+        break;
+
+      case ExplicitSafety::Safe:
+        Printer << "@safe ";
+        break;
+
+      case ExplicitSafety::Unsafe:
         Printer << "@unsafe ";
+        break;
+      }
       if (inherited.isSuppressed())
         Printer << "~";
     });

lib/AST/Decl.cpp

@@ -1087,11 +1087,54 @@ bool Decl::preconcurrency() const {
   return false;
 }
 
-bool Decl::isUnsafe() const {
-  return evaluateOrDefault(
-      getASTContext().evaluator,
-      IsUnsafeRequest{const_cast<Decl *>(this)},
-      false);
+/// Look at the attributes to determine whether they involve an attribute
+/// that explicitly specifies the safety of the declaration.
+static std::optional<ExplicitSafety>
+getExplicitSafetyFromAttrs(const Decl *decl) {
+  // If it's marked @unsafe, it's unsafe.
+  if (decl->getAttrs().hasAttribute<UnsafeAttr>())
+    return ExplicitSafety::Unsafe;
+
+  // If it's marked @safe, it's safe.
+  if (decl->getAttrs().hasAttribute<SafeAttr>())
+    return ExplicitSafety::Safe;
+
+  return std::nullopt;
+}
+
+ExplicitSafety Decl::getExplicitSafety() const {
+  // Check the attributes on the declaration itself.
+  if (auto safety = getExplicitSafetyFromAttrs(this))
+    return *safety;
+
+  // Inference: Check the enclosing context.
+  if (auto enclosingDC = getDeclContext()) {
+    // Is this an extension with @safe or @unsafe on it?
+    if (auto ext = dyn_cast<ExtensionDecl>(enclosingDC)) {
+      if (auto extSafety = getExplicitSafetyFromAttrs(ext))
+        return *extSafety;
+    }
+
+    if (auto enclosingNominal = enclosingDC->getSelfNominalTypeDecl())
+      if (auto nominalSafety = getExplicitSafetyFromAttrs(enclosingNominal))
+        return *nominalSafety;
+  }
+
+  // If an extension extends an unsafe nominal type, it's unsafe.
+  if (auto ext = dyn_cast<ExtensionDecl>(this)) {
+    if (auto nominal = ext->getExtendedNominal())
+      if (nominal->getExplicitSafety() == ExplicitSafety::Unsafe)
+        return ExplicitSafety::Unsafe;
+  }
+
+  // If this is a pattern binding declaration, check whether the first
+  // variable is @unsafe.
+  if (auto patternBinding = dyn_cast<PatternBindingDecl>(this)) {
+    if (auto var = patternBinding->getSingleVar())
+      return var->getExplicitSafety();
+  }
+
+  return ExplicitSafety::Unspecified;
 }
 
 Type AbstractFunctionDecl::getThrownInterfaceType() const {